Ensure that Cluster Version Operator is deployed

An XCCDF Rule

Description

Integrity of the OpenShift platform is handled to start by the cluster version operator. Cluster Version Operator will by default GPG verify the integrity of the release image before applying it. [1] This rule checks if Cluster Version Operator is deployed and available in the system. [1] https://github.com/openshift/machine-config-operator/blob/master/docs/OSUpgrades.md#questions-and-answers

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/config.openshift.io/v1/clusterversions/version API endpoint, filter with with the jq utility using the following filter [.status.conditions[] | select(.type=="Available") | .status] and persist it to the local /apis/config.openshift.io/v1/clusterversions/version#588c29ac9d4c67b1444308c5ba310271832895fee54701f7d0cb6cbced390443 file.

Rationale

Integrity check prevent a malicious actor from using a unauthorized system image, hence it will ensure the image has not been tampered with, or corrupted.

ID: xccdf_org.ssgproject.content_rule_cluster_version_operator_exists
Severity: Medium
References: SA-10(1)

SRG-APP-000384-CTR-000915

CCE-90670-1
Updated: about 1 year ago